Securing applications on public facing systems

ABSTRACT

Techniques are disclosed for configuring a virtual machine instance accessed over a publically routable network address to host intranet applications. A virtual (or “dummy”) interface on the virtual machine instance is assigned an IP address that is inaccessible from the public interface. An application executed on the virtual machine instance is bound to a port on the network address assigned to this dummy interface. A virtual private network server assigns client&#39;s IP addresses that can be routed to the dummy interface. When a client computing system connects to the VPN server over the virtual machine instance&#39;s public interface, the client forwards traffic destined for the dummy interface&#39;s inaccessible network over the VPN connection.

BACKGROUND

Embodiments presented herein relate to cloud-based computingenvironments. More specifically, embodiments presented herein relate toproviding secure access to applications executing on virtual machinesaccessed over public facing networks.

Infrastructure as a service (IaaS) or cloud computing generally refersto the provision of scalable computing resources as a service over anetwork. More formally, cloud computing may be defined as a computingcapability that provides an abstraction between the computing resourceand its underlying technical architecture (e.g., servers, storage,networks), enabling convenient, on-demand access to a shared pool ofconfigurable computing resources that can be rapidly provisioned andreleased with minimal management effort or service provider interaction.Cloud computing may provide a user with a variety of virtual computingresources (e.g., compute, storage, and applications,). Cloud providersmay also allow clients to instantiate virtual machine instances, i.e., avirtualized computing server, within “the cloud,” without regard for theunderlying physical systems (or locations of those systems) used toprovide the virtualized computing server.

Given the ease with which virtual machine instances can be created andscaled, cloud computing provides an enterprise with easy access to largeamounts of computing power without requiring the investment in largenumbers of physical server systems. Further, even where smaller amountsof resources are needed, cloud computing provides an approach that doesnot require an enterprise to purchase, configure, and maintain aphysical computing infrastructure. As a result many enterprises havemoved (or are interested in moving) applications to cloud based hostingservices.

Virtual machine instances running on a publicly available infrastructureas a service (IaaS) offering or on a cloud based deployment aretypically provisioned with a single, publicly accessible networkinterface and IP address. That is, the network address of the virtualmachine instance is typically accessible by the public at large. At thesame time, enterprises may have a suite of intranet based applicationsthat lack user authentication or secure communication mechanisms thatthey want to move to a cloud based deployment. However such applicationsmay have been developed to run inside an enterprise intranet, andexposing such applications over a publically routable IP address resultsin unacceptable security risks.

While such applications might be modified to support username/password(or other) authentication mechanisms, doing so requires modifying anexisting code base, which in the case of a commercial application maynot even be possible, and even where possible is susceptible to weakpasswords and other vulnerabilities. In addition, if the existingapplication doesn't support encrypted communications, this would need tobe added as well.

SUMMARY

Embodiments presented herein provide a method for a method ofconfiguring access to an application on a virtual machine (VM) instancehosted in a computing cloud. This method may generally includeconfiguring a dummy interface on the virtual machine (VM) instance. Thedummy interface is assigned a network address that is inaccessible fromthe public interface. This method may also include binding theapplication to the dummy interface and establishing a VPN connectionbetween a VPN server on the VM instance and a VPN client executing on aremote computing system. A VPN interface on the VPN client is assigned anetwork address that can be routed to the dummy interface, and anapplication on the client forwards packets to the application bound tothe dummy interface over the VPN connection.

Another embodiment of the invention includes a computer program productstoring a virtual machine (VM) instance, which when executed by aprocessor, performs an operation for providing access to an applicationexecuted on the VM instance. The operation may generally includeconfiguring a dummy interface on the virtual machine (VM) instance. Thedummy interface is assigned a network address that is inaccessible fromthe public interface. The operation may further include binding theapplication to the dummy interface and establishing a VPN connectionbetween a VPN server on the VM instance and a VPN client executing on aremote computing system. A VPN interface on the VPN client is assigned anetwork address that can be routed to the dummy interface, and anapplication on the client forwards packets to the application bound tothe dummy interface over the VPN connection.

Still another embodiment includes a system having a processor and amemory a memory storing a hypervisor configured to execute a virtualmachine (VM) instance. The VM instance is configured to provide accessto an application executed on the VM instance by performing an operationwhich includes configuring a dummy interface on the virtual machine (VM)instance. The dummy interface is assigned a network address that isinaccessible from the public interface. This operation may furtherinclude binding the application to the dummy interface and establishinga VPN connection between a VPN server on the VM instance and a VPNclient executing on a remote computing system. A VPN interface on theVPN client is assigned a network address that can be routed to the dummyinterface, and an application on the client forwards packets to theapplication bound to the network interface over the VPN connection.

BRIEF DESCRIPTION OF THE DRAWINGS

So that the manner in which the above recited aspects are attained andcan be understood in detail, a more particular description ofembodiments of the invention, briefly summarized above, may be had byreference to the appended drawings.

It is to be noted, however, that the appended drawings illustrate onlytypical embodiments of this invention and are therefore not to beconsidered limiting of its scope, for the invention may admit to otherequally effective embodiments.

FIG. 1 illustrates an example computing infrastructure used to providesecure access to applications executing in a publically accessiblecomputing cloud, according to one embodiment of the invention.

FIG. 2 illustrates an example of a computing server configured toprovide cloud-based computing resources, according to one embodiment ofthe invention.

FIG. 3 illustrates an example of a virtual machine instance, accordingto one embodiment of the invention.

FIGS. 4A-4B are functional block diagrams of a virtual machine instanceconfigured to provide secure access to applications, according to oneembodiment of the invention.

FIG. 5 is a timing sequence diagram illustrating a method for providingaccess to an application hosted on a virtual machine instance executingin a publically accessible computing cloud, according to one embodimentof the invention.

DETAILED DESCRIPTION

Embodiments of the invention provide techniques for securing computeresources within a computing cloud. More specifically, embodiments ofthe invention provide techniques for configuring a virtual machineinstance accessed over a publically routable network address to hostintranet applications which themselves do not support userauthentication mechanisms or secure network communications. In othercases, an application may provide authentication and securecommunication but the data is “sensitive” enough that an enterprisenevertheless desires to limit exposure or may be wary of applicationbugs that could expose data.

In one embodiment, a virtual network interface (referred to as a “dummy”interface) is assigned an internet protocol (IP) address on a networkthat is inaccessible from the public network and that does not conflictwith the client networks requiring access. That is, the dummy interfacecreates an IP network interface for a network that exists only on thevirtual machine instance. Such an address may conform to the internetprotocol network layer protocol, but other network layer protocols couldbe used. An application executed on the virtual machine instance bindsto a port on a network address assigned to this dummy interface. Avirtual private network (VPN) server listens on the publicly accessiblenetwork interface of the virtual machine instance. That is, the VPNserver listens for traffic addressed to the publically routable IPaddress of the virtual machine instance. The VPN server assigns clientsIP addresses from a network block used by the dummy interface. When aclient computing system connects to the VPN server over the virtualmachine instance's public interface, the client forwards network trafficdestined for the dummy interface's inaccessible network over the VPNconnection. In turn, the VPN server passes traffic received from theclient destined for the “dummy” interface, and in turn, to theapplication.

This approach allows secure access to applications bound to the dummyinterface without requiring any modifications to such applications.Further, by configuring the VPN server to enforce an appropriatesecurity policy, this approach does have to be susceptible to weakpasswords or other common vulnerabilities. Thus embodiments of theinvention allow an enterprise to migrate intranet (and other)applications to publicly available hosting infrastructure (i.e., tovirtual machine instances in “the cloud”), even though such applicationswere developed for deployment on a private intranet.

Further, this approach of routing VPN traffic to the dummy interface(over the use of a private VLAN for example) can help build a “trust”case for the cloud provider. For example, if an enterprise customerknows that it is not possible for any of the intranet applicationstraffic from the dummy interface to flow anywhere besides out to theclients through the VPN server (as the network only exists otherwise onthe virtual machine instance), it may be easier for the provider toconvince enterprise customers of the desirability of a cloud deploymentfor intranet applications. In another case, a service provider may offeran application as a service, where the application can be consideredsecure from public at large and still be able to be managed by theservice provider without accessing a customer's private network.

FIG. 1 illustrates an example computing infrastructure 100 used toprovide secure access to applications executing in a publicallyaccessible computing cloud, according to one embodiment of theinvention. As shown, the computing infrastructure 100 includes a cloudprovider 105, a client computing system 130 ₁₋₂, and a VPN gateway 135,all connected to a common IP network 120 (such as the Internet).

Illustratively, the cloud provider 105 hosts a virtual machine instance110, which itself is executing a hosted application 115. The virtualmachine instance 110 (VMI) provides a software implementation ofcomputing system that executes applications (e.g., hosted application115) like a physical machine. That is, virtual machine instance 110provides a complete computing platform which supports the execution ofan operating system (OS), which in turn executes user level applicationsas though they were running on a physical computing system. Enterprisescan create virtual machine instances using the service offered by cloudprovider 105 without having to invest in and maintain physical computingresources.

In this example, hosted application 115 corresponds to a softwareapplication generally designed to execute inside a corporate intranet orlocal network—that is to an application not designed to be exposed overa publically accessible networks. Client computer 130 ₁₋₂ may eachinclude a VPN client 130 ₁₋₂ used to create virtual network interface onthe client computer that routes traffic to/from a VPN server, e.g., aVPN server on the virtual machine instance 110. Further, in thisexample, client computer 130 ₁ includes a web-browser 132 used tocommunicate with the virtual machine instance 110 (and hostedapplication 115) over the network 120. For example, the hostedapplication could include a web server, application server, and adatabase. In such a case, the hosted application 115 is accessed usingHTTP URLs, to access, retrieve, and ultimately render an interface tothe hosted application 115 on the web browser 132. Similarly, clientcomputer 130 ₂ includes a client application 132 used to communicatewith the virtual machine instance 110 (and hosted application 115) overthe network 120. In such a case, the hosted application 115 could be aserver or daemon configured to process requests by a client application133 specifically developed to access services provided by the hostedapplication 115.

In either case, however, the hosted application 115 may not provide theappropriate security mechanisms needed to protect the application 115(or associated data) from unwanted, unauthorized, or malicious access.For example, an intranet application may not require users toauthenticate themselves with a username and password or might notencrypt traffic exchanged between itself and a client (e.g., betweenitself and web browser 132 or client application 133). To address thisissue, in one embodiment, the hosted application 115 is bound to a dummyinterface configured on the virtual machine instance 110. The dummyinterface provides a network address and corresponding TCP/IP stack thatis not accessible outside of the virtual machine instance. Further a VPNserver running on the virtual machine instance is used to direct trafficto/from hosted application 115 via the dummy interface. Because the VPNserver (and associated VPN clients) may provide a strong securityframework, the hosted application 115 can be safely migrated to thecloud provider 105 without needing to be refactored to addauthentication and security mechanisms.

Further, in one embodiment, a VPN gateway 135 may be used to routetraffic to the VPN server on the virtual machine instance 110. In such acase, rather than clients establishing a VPN connection the VPN serverindividually, hosts on a private LAN 140 send traffic to the hostedapplication 115 by way of the VPN gateway 135 using routing tableentries on the VPN gateway 135.

FIG. 2 illustrates an example of a computing server 200 configured toprovide cloud-based computing resources, according to one embodiment ofthe invention. Computing server 200 generally corresponds to a physicalcomputing system managed, e.g., by the cloud provider 105 shown inFIG. 1. Accordingly, computing server 200 could be one of many systemspresent in a data center managed by the cloud provider 105. As shown,the computing server 200 includes, without limitation, a centralprocessing unit (CPU) 205, a network interface 215, an interconnect 217,a memory 220 and storage 230. The computing server 200 may also includean I/O device interface 210 connecting I/O devices 212 (e.g., keyboard,display and mouse devices) to the computing server 200.

The CPU 205 retrieves and executes programming instructions stored inthe memory 225. Similarly, the CPU 205 stores and retrieves applicationdata residing in the memory 225. The interconnect 220 facilitatestransmission, such as of programming instructions and application data,between the CPU 205, I/O devices interface 210, storage 230, networkinterface 215, and memory 225. CPU 205 is included to be representativeof a single CPU, multiple CPUs, a single CPU having multiple processingcores, and the like. And the memory 225 is generally included to berepresentative of a random access memory. The storage 230 may be a diskdrive storage device. Although shown as a single unit, the storage 230may be a combination of fixed and/or removable storage devices, such asfixed disc drives, floppy disc drives, tape drives, removable memorycards or optical storage, network attached storage (NAS), or a storagearea-network (SAN). Application data 235 generally corresponds to anyinformation written to disk by the hypervisor 224 (for itself or onbehalf of a guest VM instance), OS kernel 222 or other applicationsexecuted on the computing server 200.

As shown, the memory 225 operating system (O/S) kernel 222, a hypervisor224 and guest virtual machine instance 226 and memory 230 includesapplication data 235. OS kernel 222 provides the core operating systemcomponents and drivers used to control the physical hardware componentsof the computing server 200. Hypervisor 224, also called virtual machinemanager (VMM), provides a software application that allows multipleoperating virtual machine instances, e.g., VM instance 226, to runconcurrently on computing server 200. As is known, the hypervisor 224presents each guest VM instance 226 with a virtual operating platformand manages the execution of the guest operating systems on thevirtualized systems. In context of the present invention, one (or more)of the guest VM instances 226 may be configured to execute an intranetapplication bound to a dummy interface on the VM instance, i.e., to avirtualized network interface on the virtualized hardware of the guestVM instance 226. In turn, the hypervisor 224 executes multiple VMinstances 226 transparently to one another.

FIG. 3 further illustrates an example of a VM instance 226, according toone embodiment of the invention. As shown, the VM instance 226 includesvirtualized hardware 305, guest operating system 310 and an intranetapplication 315. Virtualized hardware 305 corresponds to the virtualizedphysical computing provided by the hypervisor to the guest operatingsystem 310. For example, the virtualized resources may include avirtualized CPU clocked to a specified frequency or having a specifiednumber of processing cores. Similarly, virtualized hardware 305 may alsoinclude a virtualized memory storage, providing a range of memoryaddresses read from and written to by the guest operating system 310 andintranet application 315 in the same manner as physical memory modules.Virtualized hardware 305 may also include one (or more) virtual networkinterfaces as well as storage volumes mounted by the operating system310.

Collectively, the virtualized hardware 305 provides a collection ofcomputing resources managed by a guest operating system 310 in the samemanner as a comparable set of physical computing hardware. That is, theguest operating system 310, e.g., a distribution of the Linux® operatingsystem, is installed, booted and executed on the virtual hardware in thesame manner as a physical server. Note, Linux is a trademark of LinusTorvalds in the U.S. and in other countries. System calls invoked by theguest operating system 310 are intercepted by the hypervisor, whichperforms the requested operation and provides the appropriate responseback to the guest operating system 310. For example, the guest operatingsystem may invoke I/O operations to read data from a specified memoryaddress on behalf of an application. Such a call is intercepted by thehypervisor, which performs the requested memory read, and returns datato the operating system. Intranet application 315 provides a softwareapplication executed by the guest operating system. As noted, intranetapplication 315 may be designed to execute inside a corporate intranetor local network—that is to an application not designed to be exposedover a publically accessible networks. And further, to the internetapplication (and guest operating system 310).

In one embodiment, a dummy interface is configured on the guestoperating system 310. The dummy interface provides a virtual networkinterface on the VM instance 226. This dummy interface is assigned an IPaddress and can have packets routed to/from the interface like anyother. In one embodiment, the IP address may be assigned from one of thereserved IP addresses such as the 10.0.0.0/8 block or the 192.168.0.0/16block. Any network packets sent to/from the dummy interface areeffectively routed back to the same VM machine instance 226. Further,the intranet application 315 is bound to the IP address (and a port)associated with the dummy interface on the VM instance 226. This resultsin the intranet application being accessible only over a virtual networkon VM machine instance 226. For example, assume the intranet application315 is a database server listening on port 3306. Binding the databaseserver using this port to the dummy interface makes the database serveraccessible only from applications on the virtual machine instance 226.For example, a query application running on the VM instance 226 couldsend database queries to the server, while applications on other systemscould not.

In such a case, to allow outside applications to access the databaseserver, a VPN server is configured to allow clients to connect to the VMinstance 226 and provide network addresses to such clients using theaddresses from the same block as the dummy interface (e.g., one of the10.0.0.0/8 block or the 192.168.0.0/16 blocks). The VPN server,therefore, limits network access to users already authorized for thecompany network on behalf of the intranet application. The VPN serverdoesn't handle all security issues, but

This approach is shown in FIGS. 4A-4B, which provides functional blockdiagrams of virtual machine instances configured to provide secureaccess to intranet applications, according to one embodiment of theinvention. First, FIG. 4A shows a virtual machine instance 400 with avirtual network interface 405. As noted, the virtual machine instance400 may be executed on physical computing system managed by computingcloud provider. Further, the cloud provider may provision the virtualmachine instance with a publically routable IP address, allowing accessto the virtual machine instance 400 within the computing cloud. Asshown, virtual machine instance 400 includes a virtual network interfacevNIC 405 (an element of the virtualized computing hardware). A user mayaccess the virtual machine instance 405 using a variety of shells,terminals, remote desktop applications in order to install software,manage existing software, etc., or more generally, simply access thecomputing resources of the VM instance.

As shown in FIG. 4A, applications 410 ₁ and 410 ₂ are accessible overthe public IP address assigned to vNIC 405. In many cases, this isdesirable, e.g., assume applications 410 ₁₋₂ provide a web andapplication server used to provide an enterprises' public web site. Inother cases, however, the enterprise may have applications that are notintended to be generally accessible. As noted, such intranetapplications have conventionally been deployed within an enterprise'sinternal networks and frequently do not include the appropriate securityfeatures needed for a public-facing application.

FIG. 4B illustrates an example virtual machine instance 440 deployed ona publically accessible computing cloud. As shown in FIG. 4B, virtualmachine instance 440 has been configured to provide secure access tosuch an intranet application 465, according to one embodiment of theinvention Like virtual machine instance 400 of FIG. 4A, virtual machineinstance 440 of FIG. 4B includes a vNIC 450 used to connect the virtualmachine instance 440 to an IP network 120 such as the Internet. Doing soallows users to access application 410 as well as access the virtualmachine instance 440 (e.g., using a remote desktop application).

Additionally, virtual machine instance 440 includes an intranetapplication 465. In this example, the intranet application 465 is boundto a dummy interface 460 on the virtual machine instance 440. To accessthe intranet application 465, a remote access VPN client 470 establishesa connection with the VPN server 455. Doing so may involve a userproviding authentication credentials (e.g., a username and password orother digital credentials). The VPN server 455 assigns an address to VPNclient 470 using the same network address block as an IP addressassigned to the dummy interface 460. A client application can sendnetwork packets addressed to the intranet application 465. The VPNclient 470 encrypts the packets and encapsulates the resulting encryptedpayload with an outer IP header. The resulting packets are routed overnetwork 120 to the vNIC (and public IP Address of the virtual machineinstance 440), which forwards them to the VPN server 455. The VPN server455 decrypts, decapsulates, and forwards the inner packet to the dummyinterface 460, which in turn forwards the inner packet to the intranetapplication 465.

Network packets sent by the intranet application 465 to a clientapplication traverse the same path in reverse. Such packets meetcriteria for the VPN connection and so are encapsulated and encrypted bythe VPN server 460 and forwarded to the public IP of the clientcomputing system. Once received, the VPN client 470 decrypts anddecapsulates the packets before forwarding them back to the clientapplication. As noted, in addition to establishing a connection withindividual remote access VPN clients 470, a collection of hosts mayforward traffic to a VPN gateway 475, where the VPN gateway hasestablished a connection to the VPN server 455 (and intranet application460).

FIG. 5 is a timing sequence diagram illustrating a method 500 forproviding access to an intranet application 520 hosted on a virtualmachine instance 525 executing in a publically accessible computingcloud, according to one embodiment of the invention. More specifically,FIG. 5 illustrates a set of interactions for applications on clientcomputing system 505 to access an intranet application 520 executing ona virtual machine instance 525. As shown, at 530, the intranetapplication 520 is bound to a dummy interface 515 on the virtual machineinstance 525. For example, a user may configure the intranet application520 to listen for network traffic addressed to an IP address assigned tothe dummy interface that is sent to a specific port. Doing so allows theintranet application 520 to be accessed by applications on the virtualmachine instance 525.

At 531, the client 505 establishes a connection to the public IP of theVM instance 525. For example, a VPN client on the client computer 505may connect to the VPN server 510. Doing so may require a user toprovide the appropriate credentials to the VPN server 510 in order to beallowed to join the VPN. At 532, provided the user is successfullyauthenticated, the VPN server 510 assigns an IP address to use on a VPNinterface on the client computer 505. In one embodiment, the addressassigned to the VPN interface on the client 505 is selected from thesame block as the dummy interface 515 (e.g., one of the 10.0.0.0/8 blockor the 192.168.0.0/16 blocks). At 533, a user launches the intranetapplication 520, e.g., by launching a web link or a rich clientconfigured to connect to the IP address assigned to the dummy interface515. And at 534, a TCP/IP connection is established between the clientVPN's assigned IP and the dummy interface's IP.

Once established, the packet flow for this TCP connection and subsequentapplication packet flows is as follows. At 535, network traffic sent bythe web browser or rich client to the dummy interface IP address meetsthe criteria for the VPN connection and, as a result, is encapsulatedand encrypted by the VPN client. At 536, the resulting encrypted packetsare forwarded to the public IP on the virtual machine instance 525(i.e., to the VPN server 510). Once receive, the packets are forwardedto the VPN server 510 where they are decrypted and decapsulated (at537), leaving the inner packet which is destined for the IP address ofthe dummy interface 515 and the port for the intranet application 520.At 538, this packet is forwarded up the TCP/IP stack of the dummyinterface 515, where it received and processed by the intranetapplication 520.

In the other direction, at 538, application packets are sent by theintranet application 520 using the bound dummy interface's IP address.Such packets meet the criteria of the VPN connection, and so areencapsulated and encrypted by the VPN server 510 (at 545) and forwardedto the public IP address of the client application (at 546). Oncereceived over the public IP address of the client computer 505, the VPNpackets are forwarded to the VPN client interface, where they aredecrypted and decapsulated (at 547), leaving the inner packet asoriginally sent by the intranet application 520 towards the dummyinterface 515. The inbound application packet may then be forwarded upthe TCP/IP stack on the client, where it is received and processed bythe web browser or rich client executing on client computer 505.

As noted, in an alternative embodiment, a VPN gateway establishes a VPNconnection to VPN server accessed using the public IP address of thevirtual machine instance. In such a case, the VPN connection isconfigured to tunnel packets between a subnet on which the clientcomputer resides and the subnet of the dummy interface. And routing isconfigured within the client's network such that packets destined forthe dummy interface are routed through the VPN gateway, where they areencapsulated and encrypted (in one direction) and decrypted anddecapsulated (in the other direction) as packets are sent to and fromthe virtual machine instance. Such a VPN connection can be persistent orbe configured to be established on demand, e.g., when a client launchesthe intranet application using a web link or a rich client.

In this embodiment, a TCP connection is established between the IP ofthe client application and the IP address on the dummy interface.Further, in such a case, the IP address assigned to the dummy interfaceon the virtual machine instance can be specified by the customer so thatthe customer can ensure there are no conflicts with an existingon-premise (client side) network. The packet flow for this TCPconnection (and subsequent application packet flows) is as follows.Outbound packets from the client application are routed to the clientVPN gateway based on routing tables within the client's network. Packetsreceived on the client's VPN gateway matching the VPN criteria are,encrypted, encapsulated, and forwarded to the public IP address on thevirtual machine instance.

Inbound VPN packets received by the public IP address on the virtualmachine instance are processed as described above for packets sent by asingle VPN client. Similarly, outbound application packets sent from theserver (using the bound dummy interfaces IP address) meet the criteriafor the VPN connection and so are encapsulated and encrypted by the VPNserver and forwarded to the VPN gateway in the client's network.

VPN packets sent from the virtual machine instance are then receivedover the public IP on the VPN gateway in the client's network, wherethey are decrypted and decapsulated, leaving the inner packet destinedfor the IP interface for the client application. Such packets are thenrouted to the client application.

Advantageously, embodiments described herein allow secure access toapplications running on a virtual machine instance in “the cloud.” Inone embodiment, a dummy interface is assigned an IP address on a networkinaccessible from the public interface. An application executed on thevirtual machine instance is bound to a port on the IP address assignedto this dummy interface. A VPN server listens for traffic addressed tothe publically routable IP address of the virtual machine instance. TheVPN server assigns clients IP addresses that are routable to the dummyinterface. When a client computing system connects to the VPN serverover the virtual machine instance's public interface, the clientforwards network traffic destined for the dummy interface's inaccessiblenetwork over the VPN connection. In turn, the VPN server forwardstraffic received from the client to the “dummy” interface, and in turn,to the application. In an alternative embodiment, a VPN gateway 135 maybe used to route traffic for an entire subnet to the VPN server on thevirtual machine instance 110.

Embodiments of the present invention may also be delivered as part of aservice engagement with a client corporation, nonprofit organization,government entity, internal organizational structure or the like. Theseembodiments may include configuring a computer system to perform, anddeploying software, hardware, and web services that implement, some orall of the methods described herein. These embodiments may also includeanalyzing the client's operations, creating recommendations responsiveto the analysis, building systems that implement portions of therecommendations, integrating the systems into existing processes andinfrastructure, metering use of the systems, allocating expenses tousers of the systems, and billing for use of the systems, For example,in context of the described embodiments, a cloud provider may invoice auser consuming cloud based computing resources such as a virtual machineinstance configured with a dummy interface and VPN server.

In this application, reference is made to embodiments of the invention.However, it should be understood that the invention is not limited tospecific described embodiments. Instead, any combination of thefollowing features and elements, whether related to differentembodiments or not, is contemplated to implement and practice theinvention. Furthermore, although embodiments of the invention mayachieve advantages over other possible solutions and/or over the priorart, whether or not a particular advantage is achieved by a givenembodiment is not limiting of the invention. Thus, the followingaspects, features, embodiments and advantages are merely illustrativeand are not considered elements or limitations of the appended claimsexcept where explicitly recited in a claim(s). Likewise, reference to“the invention” shall not be construed as a generalization of anyinventive subject matter disclosed herein and shall not be considered tobe an element or limitation of the appended claims except whereexplicitly recited in a claim(s).

As will be appreciated by one skilled in the art, aspects of the presentinvention may be embodied as a system, method or computer programproduct. Accordingly, aspects of the present invention may take the formof an entirely hardware embodiment, an entirely software embodiment(including firmware, resident software, micro-code, etc.) or anembodiment combining software and hardware aspects that may allgenerally be referred to herein as a “circuit,” “module” or “system.”Furthermore, aspects of the present invention may take the form of acomputer program product embodied in one or more computer readablemedium(s) having computer readable program code embodied thereon.

Any combination of one or more computer readable medium(s) may beutilized. The computer readable medium may be a computer readable signalmedium or a computer readable storage medium. A computer readablestorage medium may be, for example, but not limited to, an electronic,magnetic, optical, electromagnetic, infrared, or semiconductor system,apparatus, or device, or any suitable combination of the foregoing. Morespecific examples (a non-exhaustive list) of the computer readablestorage medium would include the following: an electrical connectionhaving one or more wires, a portable computer diskette, a hard disk, arandom access memory (RAM), a read-only memory (ROM), an erasableprogrammable read-only memory (EPROM or Flash memory), an optical fiber,a portable compact disc read-only memory (CD-ROM), an optical storagedevice, a magnetic storage device, or any suitable combination of theforegoing. In the context of this document, a computer readable storagemedium may be any tangible medium that can contain, or store a programfor use by or in connection with an instruction execution system,apparatus, or device.

A computer readable signal medium may include a propagated data signalwith computer readable program code embodied therein, for example, inbaseband or as part of a carrier wave. Such a propagated signal may takeany of a variety of forms, including, but not limited to,electro-magnetic, optical, or any suitable combination thereof. Acomputer readable signal medium may be any computer readable medium thatis not a computer readable storage medium and that can communicate,propagate, or transport a program for use by or in connection with aninstruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmittedusing any appropriate medium, including but not limited to wireless,wireline, optical fiber cable, RF, etc., or any suitable combination ofthe foregoing.

Computer program code for carrying out operations for aspects of thepresent invention may be written in any combination of one or moreprogramming languages, including an object oriented programming languagesuch as Java, Smalltalk, C++ or the like and conventional proceduralprogramming languages, such as the “C” programming language or similarprogramming languages. The program code may execute entirely on theuser's computer, partly on the user's computer, as a stand-alonesoftware package, partly on the user's computer and partly on a remotecomputer or entirely on the remote computer or server. In the latterscenario, the remote computer may be connected to the user's computerthrough any type of network, including a local area network (LAN) or awide area network (WAN), or the connection may be made to an externalcomputer (for example, through the Internet using an Internet ServiceProvider).

Aspects of the present invention are described above with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems) and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, create means for implementing the functions/acts specified inthe flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computerreadable medium that can direct a computer, other programmable dataprocessing apparatus, or other devices to function in a particularmanner, such that the instructions stored in the computer readablemedium produce an article of manufacture including instructions whichimplement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer,other programmable data processing apparatus, or other devices to causea series of operational steps to be performed on the computer, otherprogrammable apparatus or other devices to produce a computerimplemented process such that the instructions which execute on thecomputer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

While the foregoing is directed to embodiments of the present invention,other and further embodiments of the invention may be devised withoutdeparting from the basic scope thereof, and the scope thereof isdetermined by the claims that follow.

1. A method of configuring access to an application on a virtual machine(VM) instance hosted in a computing cloud, comprising: configuring adummy interface on the virtual machine (VM) instance, wherein the dummyinterface is assigned a network address that is inaccessible from thepublic interface; binding the application to the dummy interface; andestablishing a VPN connection between a VPN server on the VM instanceand a VPN client executing on a remote computing system, wherein a VPNinterface on the VPN client is assigned a network address that can berouted to the dummy interface, and wherein an application on the clientforwards packets to the application bound to the dummy interface overthe VPN connection.
 2. The method of claim 1, wherein the VPN server isaccessed using a public network address assigned to a virtual networkinterface on the VM instance.
 3. The method of claim 2, wherein the VPNconnection encrypts network packets forwarded over a public networkaddress of the remote computing system to the public network address ofthe VM instance.
 4. The method of claim 1, wherein the VPN server isconfigured to authenticate a request to establish the VPN connection. 5.The method of claim 1, wherein the remote computing system is a VPNgateway.
 6. The method of claim 5, wherein the VPN gateway is part of aprivate network subnet, and wherein network packets addressed to thedummy interface on the VM instance are routed to the VPN gateway.
 7. Themethod of claim 1, wherein the application is bound to the dummyinterface for one or more specified network ports.
 8. The method ofclaim 1, further comprising: receiving, by the VPN server, from theapplication, one or more network packets addressed to the networkaddress assigned to the VPN interface on the remote computing system;and forwarding, over the VPN connection, the one or more receivedpackets to a public network address of the remote computing system. 9.The method of claim 1, further comprising: metering use of the VMinstance associated with a request; and generating an invoice based onthe metered use.
 10. A computer program product storing a virtualmachine (VM) instance, which when executed by a processor, performs anoperation for providing access to an application executed on the VMinstance, the operation comprising: configuring a dummy interface on thevirtual machine (VM) instance, wherein the dummy interface is assigned anetwork address that is inaccessible from the public interface; bindingthe application to the dummy interface; and establishing a VPNconnection between a VPN server on the VM instance and a VPN clientexecuting on a remote computing system, wherein a VPN interface on theVPN client is assigned a network address that can be routed to the dummyinterface, and wherein an application on the client forwards packets tothe application bound to the dummy interface over the VPN connection.11. The computer program product of claim 10, wherein the VPN server isaccessed using a public network address assigned to a virtual networkinterface on the VM instance.
 12. The computer program product of claim10, wherein the VPN connection encrypts network packets forwarded over apublic network address of the remote computing system to the publicnetwork address of the VM instance.
 13. The computer program product ofclaim 10, wherein the VPN server is configured to authenticate a requestto establish the VPN connection.
 14. The computer program product ofclaim 10, wherein the remote computing system is a VPN gateway.
 15. Thecomputer program product of claim 14, wherein the VPN gateway is part ofa private network subnet, and wherein network packets addressed to thedummy interface on the VM instance are routed to the VPN gateway. 16.The computer program product of claim 10, wherein the application isbound to the dummy interface for one or more specified network ports.17. The computer program product of claim 10, wherein the operationfurther comprises: receiving, by the VPN server, from the application,one or more network packets addressed to the network address assigned tothe VPN interface on the remote computing system; and forwarding, overthe VPN connection, the one or more received packets to a public networkaddress of the remote computing system.
 18. A system, comprising: aprocessor; and a memory storing a hypervisor configured to execute avirtual machine (VM) instance, wherein the VM instance is configured toprovide access to an application executed on the VM instance byperforming an operation, comprising: configuring a dummy interface onthe virtual machine (VM) instance, wherein the dummy interface isassigned a network address that is inaccessible from the publicinterface, binding the application to the dummy interface, andestablishing a VPN connection between a VPN server on the VM instanceand a VPN client executing on a remote computing system, wherein a VPNinterface on the VPN client is assigned a network address that can berouted to the dummy interface, and wherein an application on the clientforwards packets to the application bound to the dummy interface overthe VPN connection.
 19. The system of claim 18, wherein the VPN serveris accessed using a public network address assigned to a virtual networkinterface on the VM instance.
 20. The system of claim 19, wherein theVPN connection encrypts network packets forwarded over a public networkaddress of the remote computing system to the public network address ofthe VM instance.
 21. The system of claim 18, wherein the VPN server isconfigured to authenticate a request to establish the VPN connection.22. The system of claim 18, wherein the remote computing system is a VPNgateway.
 23. The system of claim 22, wherein the VPN gateway is part ofa private network subnet, and wherein network packets addressed to thedummy interface on the VM instance are routed to the VPN gateway. 24.The system of claim 18, wherein the application is bound to the dummyinterface for one or more specified network ports.
 25. The system ofclaim 18, wherein the operation further comprises: receiving, by the VPNserver, from the application, one or more network packets addressed tothe network address assigned to the VPN interface on the remotecomputing system; and forwarding, over the VPN connection, the one ormore received packets to a public network address of the remotecomputing system.